A standard letsencrypt leaf certificate has an OCSPServer field but no CRLDistributionPoints field. The CRLDistributionPoints field is given in the intermediate certificate (issuer of leaf certificate). That makes it difficult to verify the CRL, because the CRL is signed by the issuer of the intermediate certificate which isn’t present in the certificate chain.
Feature request: add CRLDistributionPoints to leaf certificate
A typical cert chain makes it clear:
CERTIFICATE DETAILS ...
SignatureAlgorithm : SHA256-RSA
PublicKeyAlgorithm : RSA
Version : 3
SerialNumber : 299760584395680137105513467069717201743597
Subject : CN=www.freizeitkarte-osm.de
Issuer : CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
NotBefore : 2019-09-12 22:18:26 +0000 UTC (valid for 90 days)
NotAfter : 2019-12-11 22:18:26 +0000 UTC (expires in 39 days)
KeyUsage : 5 (101, KeyEncipherment, DigitalSignature)
ExtKeyUsage : ServerAuth, ClientAuth
IsCA : false
DNSNames : www.freizeitkarte-osm.de
OCSPServer : http://ocsp.int-x3.letsencrypt.org
IssuingCertificateURL : http://cert.int-x3.letsencrypt.org/
PolicyIdentifiers : 2.23.140.1.2.1 (domain validation), 1.3.6.1.4.1.44947.1.1.1
SubjectKeyId : 374cafefa428e297718071c6b6a8168bc49a4b02
AuthorityKeyId : a84a6a63047dddbae6d139b7a64565eff3a8eca1
CERTIFICATE DETAILS ...
SignatureAlgorithm : SHA256-RSA
PublicKeyAlgorithm : RSA
Version : 3
SerialNumber : 13298795840390663119752826058995181320
Subject : CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Issuer : CN=DST Root CA X3,O=Digital Signature Trust Co.
NotBefore : 2016-03-17 16:40:46 +0000 UTC (valid for 1826 days)
NotAfter : 2021-03-17 16:40:46 +0000 UTC (expires in 501 days)
KeyUsage : 97 (1100001, CRLSign, CertSign, DigitalSignature)
IsCA : true
OCSPServer : http://isrg.trustid.ocsp.identrust.com
IssuingCertificateURL : http://apps.identrust.com/roots/dstrootcax3.p7c
CRLDistributionPoints : http://crl.identrust.com/DSTROOTCAX3CRL.crl
PolicyIdentifiers : 2.23.140.1.2.1 (domain validation), 1.3.6.1.4.1.44947.1.1.1
SubjectKeyId : a84a6a63047dddbae6d139b7a64565eff3a8eca1
AuthorityKeyId : c4a7b1a47b2c71fadbe14b9075ffc41560858910